Cencora confirms patient health info stolen in February attack


Pharmaceutical giant Cencora has confirmed that patients’ protected health information and personally identifiable information (PII) was exposed in a February cyberattack.

Cencora, previously known as AmerisourceBergen, specializes in pharmaceutical services, providing drug distribution and technology solutions for doctor’s offices, pharmacies, and animal healthcare. 

The company is ranked #10 on the Fortune 500 and #24 on the Global Fortune 500, with a revenue of more than $250 billion.

When Cencora first disclosed the cyberattack in February, it warned that the threat actors had stolen personal information.

In a Wednesday FORM 8-K filing with the SEC, Cencora has now confirmed that protected health information and personally identifiable information were also stolen.

“Through that investigation, the Company learned that additional data, beyond what was initially identified, had been exfiltrated. The Company has identified and completed its review of most of the exfiltrated data (the “Data”),” reads the SEC filing.

“This review has confirmed that the Data included personally identifiable information (“PII”) and protected health information (“PHI”) of individuals, most of which is maintained by a Company subsidiary that provides patient support services.”

This is the first time that Cencora confirmed protected health information was exposed. However, some of the largest pharmaceutical firms in the United States that partner with Cencora had already disclosed that patient’s health information was exposed in the attack.

This information includes a patient’s first name, last name, address, date of birth, health diagnosis, and/or medications and prescriptions.

Some of the pharmaceutical companies impacted by this breach include Novartis, Bayer, AbbVie, Regeneron Pharmaceuticals, Genentech, Incyte, Sumitomo Pharma America, Acadia Pharmaceuticals, GlaxoSmithKline Group, Endo Pharmaceuticals, and Dendreon Pharmaceuticals.

Cencora has not shared much information about the cyberattack other than telling BleepingComputer that they did not believe there was a connection between their incident and the Change Healthcare attack.

Recently, it was revealed that a Fortune 50 company paid a record-breaking $75 million ransom to the Dark Angels ransomware operation early this year.

While Cencora has not confirmed whether it suffered a ransomware attack or paid a ransom, it is the only Fortune 50 company known to have suffered a cyberattack that was not claimed by a threat actor.

BleepingComputer contacted Cencora earlier this week to ask if they paid a ransom but did not receive a response.



Source link